Is there read-only replica support in freeipa? The use case is a dmz.
Thanks...
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On Sun, Dec 11, 2016 at 11:31 PM, David Kupka wrote:
>
> yes you can do it. DNS domain and Kerberos realm are two different things.
> It's common and AFAIK recommended to capitalize DNS domain to get the realm
> but it's not required.
> If you really want to have them different make sure:
> a) an
Can you have a domain that belongs to a Kerberos realm with a completely
different domain? For example, could example.com belong to the
ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the
necessary SRV and TXT records to locate it and krb5.conf is configured
properly?
Steve
n account so it will be able to run those ipa
commands in a read-only state but not have any authentication requirement?
--
Stephen Berg
Systems Administrator
NRL Code: 7320
Office: 228-688-5738
stephen.berg@nrlssc.navy.mil
--
Manage your subscription for the Freeipa-users mailing l
d to. So far I can't find a way to do a similar function in FreeIPA.
I'd to do this from a cron job on each client once a day.
We're running a mix of SciLinux 6.7 and 7.2. The servers are all on 7.2
running ipa VERSION: 4.2.0, API_VERSION: 2.156.
--
Stephen Berg
Systems Admin
I've run into a problem on a v3 IPA where several certificates did not
renew automatically with certmonger. I'm now, of course stuck and trying to
renew the certificates manually. I've managed to renew the WebUI cert, and
now onto the pki-ca certificate in the /var/lib/pki-ca/alias NSS store. I'm
t
On Thu, Mar 17, 2016 at 7:29 AM, Rob Crittenden wrote:
--snip--
> Since I now saw three 'Server-Cert' certificates with two accompanying
>> keys, I exported the certs and keys, then removed all of the
>> 'Server-Cert' entries and then imported back only the key and the most
>> recent cert. That
cert.
>
> On 2 July 2015 at 07:03, Rob Crittenden wrote:
>
>> Stephen Ingram wrote:
>>
>>> I setup IPA using the internal CA. I'd like to continue using this CA,
>>> however, I'd also like to allow authorized external browser users (who
>>> have
I setup IPA using the internal CA. I'd like to continue using this CA,
however, I'd also like to allow authorized external browser users (who
haven't imported our CA) to access the WebUI without receiving a warning.
Is it possible to add a 3rd party certificate and CA such that it is only
used for
On Fri, Jan 2, 2015 at 10:02 AM, Rob Crittenden wrote:
> Stephen Ingram wrote:
> > On Mon, Dec 15, 2014 at 6:40 PM, Stephen Ingram > <mailto:sbing...@gmail.com>> wrote:
> >
> > I have one client using a certificate issued by a third party
> > p
On Mon, Dec 15, 2014 at 6:40 PM, Stephen Ingram wrote:
> I have one client using a certificate issued by a third party provider
> such that any secure (TLS) LDAP queries are refused since the certificates
> were not issued by IPA. Since there are only a few clients with foreign
>
I have one client using a certificate issued by a third party provider such
that any secure (TLS) LDAP queries are refused since the certificates were
not issued by IPA. Since there are only a few clients with foreign
certificates, can the CA simply be added to the NSS database used by the
389 dire
On Wed, Nov 05, 2014 at 10:20:36AM -0500, Rob Crittenden wrote:
> Stephen Benjamin wrote:
> > On Wed, Nov 05, 2014 at 09:41:59AM -0500, Rob Crittenden wrote:
> >>>> Also when I look at the permissions in ipa there are no longer any
> >>>> perm
d page
> >>>>> http://www.freeipa.org/page/Downloads#Upgrading )
> >>>>>
> >>>>> 'yum update' works fine
> >>>>>
> >>>>> My internal zones didn't resolv after the update
> >>>>> ipa-ldap-updater /us
There's an open pull request against foreman's Smart Proxy to include
that in the next release:
https://github.com/theforeman/smart-proxy/pull/231
--
Stephen Benjamin
__
Red Hat GmbH | http://de.redhat.com/ | Sitz: Grasbrunn
Ha
On Wed, Jul 09, 2014 at 12:05:04PM +0200, Martin Basti wrote:
> On 09/07/14 11:27, Stephen Benjamin wrote:
> >- Original Message -
> >>From: "Martin Basti"
> >>To: "Stephen Benjamin" , freeipa-users@redhat.com
> >>Sent: Tuesday, July
rights=False, all=False, raw=False)
[Tue Jul 08 14:17:59 2014] [error] ipa: INFO:
realm-caps...@katello.example.org:
host_del((u'realm-rhel6.katello.example.org',), updatedns=True):
NotFound
[Tue Jul 08 14:17:59 2014] [error] ipa: DEBUG: response: NotFo
- Original Message -
> From: "Jakub Hrozek"
> To: freeipa-users@redhat.com
> Sent: Monday, April 28, 2014 10:55:16 AM
> Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
>
> On Fri, Apr 25, 2014 at 04:16:11AM -0400, Stephen Benjamin wrote:
> > -
- Original Message -
> From: "Dmitri Pal"
> To: "Stephen Benjamin"
> Cc: "Martin Kosek" , "Jan Cholasta" ,
> freeipa-users@redhat.com, "Tomas Babej"
>
> Sent: Friday, April 25, 2014 3:59:31 PM
> Subject: Re: [Fr
- Original Message -
> From: "Dmitri Pal"
> To: "Martin Kosek" , "Stephen Benjamin"
>
> Cc: "Jan Cholasta" , freeipa-users@redhat.com, "Tomas
> Babej"
> Sent: Friday, April 25, 2014 3:42:39 PM
> Subject: Re: [F
- Original Message -
> From: "Martin Kosek"
> To: "Stephen Benjamin" , "Jan Cholasta"
>
> Cc: d...@redhat.com, freeipa-users@redhat.com, "Tomas Babej"
>
> Sent: Friday, April 25, 2014 10:54:13 AM
> Subject: Re: [Fre
- Original Message -
> From: "Jan Cholasta"
> To: "Martin Kosek" , d...@redhat.com, "Stephen Benjamin"
>
> Cc: freeipa-users@redhat.com
> Sent: Friday, April 25, 2014 9:44:37 AM
> Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
>
- Original Message -
> From: "Dmitri Pal"
> To: "Stephen Benjamin"
> Cc: freeipa-users@redhat.com
> Sent: Thursday, April 24, 2014 12:28:48 AM
> Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
>
> >> Several questions:
> >>
Hi,
- Original Message -
> From: "Dmitri Pal"
> To: freeipa-users@redhat.com, stben...@redhat.com
> Sent: Wednesday, April 23, 2014 10:16:16 PM
> Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
>
> On 04/23/2014 10:00 AM, Stephen Benjamin wrote:
> &
p, I'm stbenjam
over on #theforeman or #freeipa IRC channels.
Note - There's at least one bug whose fix should be merged in RC2:
unenrolled hosts aren't deleted from IPA correctly. Otherwise it
should all work as advertised!
Thanks!!
Stephen
--
Steph
- Original Message -
> From: "Brent Clark"
> To: freeipa-users@redhat.com
> Sent: Thursday, April 10, 2014 6:24:17 PM
> Subject: [Freeipa-users] Using puppet to add servers to IPA
>
> Hello,
>
> I'm looking to use puppet to add my servers to IPA automatically. This
> would be used when
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Due to popular request, I am offering a completely unofficial and
unsupported repository of the latest 1.9.x LTM bits for RHEL 5 and
derivatives. The latest official version supported by the distribution
is 1.5.x.
These packages are built from the ups
-int.jamar.loc.
You need to specify the user, because the default for sudo is root.
sudo -u image
Although, this won't work - your init script is using runuser, which an
unprivileged user can't use.
HTH.
Stephen
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Fri, Jan 3, 2014 at 11:37 AM, Dmitri Pal wrote:
> On 01/03/2014 02:33 PM, Stephen Ingram wrote:
>
> On Fri, Jan 3, 2014 at 10:29 AM, Dmitri Pal wrote:
>
>> On 01/03/2014 12:50 PM, Will Sheldon wrote:
>>
>> Thanks Petr, that certainly makes sense from the poi
On Fri, Jan 3, 2014 at 10:29 AM, Dmitri Pal wrote:
> On 01/03/2014 12:50 PM, Will Sheldon wrote:
>
> Thanks Petr, that certainly makes sense from the point of view of
> functionality.
>
> I do think the default is sane, but there are a lot of possible deployment
> scenarios and my concern is th
Is it possible to restrict user to say a DNS Administrator role for only
one domain in the system?
Steve
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
- Original Message -
> From: "Martin Kosek"
> To: "Stephen Benjamin" , freeipa-users@redhat.com
> Sent: Tuesday, November 12, 2013 9:57:04 AM
> Subject: Re: [Freeipa-users] "Remove Host" Permission Not Working
e out the right one to give.
>
&g
ost_del((u'testbuild.bitbin.de',), updatedns=False): ACIError
Is there an additional permission I need? I tried a bunch of different
permissions
but I couldn't figure out the right one to give.
Thanks,
Stephen
___
Freeipa-users mailing list
Fr
On Mon, Oct 21, 2013 at 9:37 AM, Petr Spacek wrote:
> On 21.10.2013 17:58, Stephen Ingram wrote:
>
>> On Sun, Oct 20, 2013 at 11:44 PM, Petr Spacek wrote:
>>
>> On 18.10.2013 21:44, Stephen Ingram wrote:
>>>
>>> I'm using IPA 3.0.x on RHEL 6.4
On Sun, Oct 20, 2013 at 11:44 PM, Petr Spacek wrote:
> On 18.10.2013 21:44, Stephen Ingram wrote:
>
>> I'm using IPA 3.0.x on RHEL 6.4 and trying to setup other zones in DNS. I
>> notice that regardless of the TTL set in the SOA for the zone, the
>> individual re
I'm using IPA 3.0.x on RHEL 6.4 and trying to setup other zones in DNS. I
notice that regardless of the TTL set in the SOA for the zone, the
individual records default to 86400. I see there has been previous
discussion on the list (
https://www.redhat.com/archives/freeipa-users/2012-November/msg001
On Mon, Jul 22, 2013 at 9:29 AM, Simo Sorce wrote:
> On Mon, 2013-07-22 at 09:23 -0700, Stephen Ingram wrote:
> > On Mon, Jul 22, 2013 at 12:18 AM, Martin Kosek
> > wrote:
> > On 07/20/2013 02:51 AM, Stephen Ingram wrote:
> > > Is there a way to di
On Mon, Jul 22, 2013 at 12:18 AM, Martin Kosek wrote:
> On 07/20/2013 02:51 AM, Stephen Ingram wrote:
> > Is there a way to disable the forms-based login to the WebUI and require
> a
> > Kerberos ticket?
> >
> > Steve
>
> Hello,
>
> No, this is curre
Is there a way to disable the forms-based login to the WebUI and require a
Kerberos ticket?
Steve
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Sun, Jul 7, 2013 at 2:11 PM, Schmitt, Christian wrote:
> Hello is it possible to replicate FreeIPA Server with diffrent Minor
> versions?
> Currently we are running a FreeIPA Server on Fedora 19 since CentOS/RHEL
> only has a FreeIPA 2.X Server and we wanted the features of FreeIPA 3.X.
> Woul
On Sun, Jun 23, 2013 at 9:18 PM, wrote:
>
> ipa-client-3.0.0-26.el6_4.4.x86_64
>
> * When the IPA client is initally installed does anyone know where the SSL
> private key is kept on an IPA client PC?
>
IPA uses NSS by default for SSL. The private key is stored in the NSS
database in /etc/pki/ns
On Mon, Apr 15, 2013 at 3:13 PM, Dmitri Pal wrote:
> On 04/15/2013 11:11 AM, Chandan Kumar wrote:
>
>
> I think controlling Visibility of tabs would be the best option, if
> possible, based on Roles as mentioned by Rob. As long as other entries are
> not visible in UI, even though they have rea
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/21/2013 09:04 AM, Jan-Frode Myklebust wrote:
> Serverdefault has a hack for supporting nested groups on
> RHEL5/apache-2.2 involving a ldap filter using
> LDAP_MATCHING_RULE_IN_CHAIN on Active Directory, ref:
>
> http://serverfault.com/a/42470
On 12/28/2012 10:23 AM, Michael B. Trausch wrote:
On 12/28/2012 08:56 AM, Simo Sorce wrote:
However re-reading the ticket made me wonder. Is this happening on the
F18 machine or on the Centos 6.3 machine ?
The sigsegv is happening on the Fedora 18 box, the one running FreeIPA
3.1.0.
I am comp
On Fri 16 Nov 2012 08:56:59 AM EST, Natxo Asenjo wrote:
On Fri, Nov 16, 2012 at 2:52 PM, Natxo Asenjo wrote:
hi,
when running getent negroup I get old entries.
Apparently sssd is being helpful :-) and caching info, but it should
not do it when I am connected to the domain (IMHO).
According t
On Wed, Oct 31, 2012 at 10:21 PM, Peter Brown wrote:
> On 1 November 2012 15:07, Stephen Ingram wrote:
>>
>> On Wed, Oct 31, 2012 at 6:25 PM, Peter Brown wrote:
>> > On 1 November 2012 08:20, Stephen Ingram wrote:
>> >>
>> >> On Tue, O
On Wed, Oct 31, 2012 at 6:25 PM, Peter Brown wrote:
> On 1 November 2012 08:20, Stephen Ingram wrote:
>>
>> On Tue, Oct 30, 2012 at 6:34 PM, Peter Brown wrote:
>> > Hi everyone,
>> >
>> > I have been trying to work out how to achieve this.
>> &g
On Tue, Oct 30, 2012 at 6:34 PM, Peter Brown wrote:
> Hi everyone,
>
> I have been trying to work out how to achieve this.
> I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix and
> dovecot on my new mail server authenticating against Freeipa.
> One last thing I would love to do i
On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman wrote:
I'm pretty certain there's a painfully simple solution to this that
I'm not seeing, but my current configuration isn't picking up the
freeipa sudoer rule that I've set.
/etc/nsswitch.conf specifies:
sudoers:files ldap
/etc/nslcd.conf
On Wed 31 Oct 2012 08:56:14 AM EDT, Bret Wortman wrote:
Has anyone set things up so that individual users have the option to
automount a homedir or have one autocreated on each system they use
for them? I have some users who prefer one way and others who prefer
the other. Both have valid reasons
On Fri, Oct 5, 2012 at 10:03 AM, Dmitri Pal wrote:
> On 10/05/2012 12:16 PM, Stephen Ingram wrote:
>> As I typically have saslauthd use kerberos to authenticate users I
>> really haven't had the occasion to try before. Since freeipa machines
>> use SSSD to help man
On Tue, 2012-08-28 at 17:21 -0400, Rob Crittenden wrote:
> Michael Mercier wrote:
> > On 2012-08-22, at 4:12 PM, Rob Crittenden wrote:
> >
> >> Michael Mercier wrote:
> >>> Hello,
> >>>
> >>> In Aug 2010, someone posted a message to this list about integrating
> >>> tacacs+ with freeipa
> >>> https
On Thu, Aug 23, 2012 at 2:26 PM, Steven Jones wrote:
> Some notes on the identity manual which says its for RHEl6,
>
> "13.4.2. Client Configuration for sudo Rules This example specifically
> configures a Red Hat Enterprise Linux 6 client for sudo rules.
>
> 8><
>
> 2. Enable debug logging for
On Fri, 2012-08-17 at 13:42 -0500, Anthony Messina wrote:
> On Monday, July 23, 2012 04:08:25 AM Anthony Messina wrote:
> > I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running
> > well. I have also installed rkhunter-1.4.0-1.fc17.noarch on the IPA
> > server and each morning I rec
On Fri, 2012-08-17 at 11:42 +0200, Jakub Hrozek wrote:
> On Thu, Aug 16, 2012 at 09:00:23PM +, Steven Jones wrote:
> > Hi,
> >
> > What is the default length of time the sssd daemon on a client caches for
> > once IPA is off line pls?
> >
>
> If the IPA provider is offline, we never remove
On Fri, 2012-07-20 at 15:21 -0400, Dmitri Pal wrote:
> On 07/20/2012 03:03 PM, Joe Linoff wrote:
> When you set the password on the server using the ipa passwd command
> you make it know to the admin. This is why it is right away expired
> and requires a change.
> A user needs to log in through th
On Thu, 2012-07-19 at 16:44 +0100, Innes, Duncan wrote:
> Does this mean that it's impossible to have IPA authenticate the
> oracle user or any other user that is normally below 500?
>
> Our security team is asking that we manage the passwords of oracle and
> other users centrally. Can IPA do thi
On Thu, 2012-07-19 at 00:53 +, Steven Jones wrote:
> Actually its pamunless IPA is as well.
>
> Which makes sense then to have an application run < 500 so inherently it
> cannot be logged into via ssh
Well, it's possible to configure your system to allow logging in to
users below 500
On Wed, Jul 18, 2012 at 2:26 PM, Dmitri Pal wrote:
> On 07/18/2012 05:09 PM, Stephen Ingram wrote:
>> On Wed, Jul 18, 2012 at 1:52 PM, Dmitri Pal wrote:
>>> On 07/18/2012 04:27 PM, Stephen Ingram wrote:
>>>> On Wed, Jul 18, 2012 at 1:06 PM, Dmitri Pal wrote
On Thu, 2012-07-19 at 00:39 +, Steven Jones wrote:
> Hi,
>
> I want to create a user that users who can login to a host can sudo -i
> tobut I dont want to allow that user ssh or login but must exist on the
> server such that the sudo -i command will succeed.
>
> I cannot see how this i
On Thu, 2012-07-19 at 00:02 +, Steven Jones wrote:
> Hi,
>
> Is there a rule or something that makes users with a UID of less than
> 500 not work?
Yes, on Red Hat and older Fedora systems, UIDs below 500 are reserved
for system services such as the apache user.
On newer Fedora systems (and
On Wed, Jul 18, 2012 at 1:52 PM, Dmitri Pal wrote:
> On 07/18/2012 04:27 PM, Stephen Ingram wrote:
>> On Wed, Jul 18, 2012 at 1:06 PM, Dmitri Pal wrote:
>>> On 07/18/2012 03:45 PM, Stephen Ingram wrote:
>>>> On Wed, Jul 18, 2012 at 12:28 PM, John Dennis wrote
On Wed, Jul 18, 2012 at 1:06 PM, Dmitri Pal wrote:
> On 07/18/2012 03:45 PM, Stephen Ingram wrote:
>> On Wed, Jul 18, 2012 at 12:28 PM, John Dennis wrote:
>>> On 07/18/2012 02:59 PM, Stephen Ingram wrote:
>>>> On Wed, Jul 18, 2012 at 6:45 AM, Petr Vobornik
>>
On Wed, Jul 18, 2012 at 10:59 AM, Dmitri Pal wrote:
> On 07/18/2012 01:53 PM, Stephen Ingram wrote:
>> On Tue, Jul 17, 2012 at 3:56 PM, John Dennis wrote:
>>> On 07/17/2012 05:43 PM, Stephen Ingram wrote:
>>>
>>>> [ details of performance analysis s
On Wed, Jul 18, 2012 at 12:28 PM, John Dennis wrote:
> On 07/18/2012 02:59 PM, Stephen Ingram wrote:
>>
>> On Wed, Jul 18, 2012 at 6:45 AM, Petr Vobornik
>> wrote:
>>>
>>> On 07/17/2012 11:43 PM, Stephen Ingram wrote:
>>>
>>> 8><-
On Wed, Jul 18, 2012 at 6:45 AM, Petr Vobornik wrote:
> On 07/17/2012 11:43 PM, Stephen Ingram wrote:
>
> 8><--
>
>
>>>>
>>>> I'm beginning to think this is just the Web UI itself instead of 389
>>>> although it is really difficul
On Tue, Jul 17, 2012 at 3:56 PM, John Dennis wrote:
> On 07/17/2012 05:43 PM, Stephen Ingram wrote:
>
>> [ details of performance analysis snipped for brevity ]
>
> I wonder if we shouldn't add some timing metrics to our code. As it is it's
> very hard to know wher
On Tue, Jul 17, 2012 at 2:01 PM, Rob Crittenden wrote:
> Stephen Ingram wrote:
>>
>> On Mon, Jul 16, 2012 at 12:23 PM, Rob Crittenden
>> wrote:
>>>
>>> Stephen Ingram wrote:
>>>>
>>>>
>>>> On Mon, Jul 16, 2012 at 11:
On Mon, Jul 16, 2012 at 12:23 PM, Rob Crittenden wrote:
> Stephen Ingram wrote:
>>
>> On Mon, Jul 16, 2012 at 11:34 AM, Rich Megginson
>> wrote:
>>>
>>> On 07/16/2012 11:48 AM, Stephen Ingram wrote:
>>>>
>>>>
>>>> On Mo
On Mon, Jul 16, 2012 at 11:34 AM, Rich Megginson wrote:
> On 07/16/2012 11:48 AM, Stephen Ingram wrote:
>>
>> On Mon, Jul 16, 2012 at 9:35 AM, Rich Megginson
>> wrote:
>>>
>>> On 07/16/2012 10:19 AM, Stephen Ingram wrote:
>>>>
>>>
On Mon, Jul 16, 2012 at 9:35 AM, Rich Megginson wrote:
> On 07/16/2012 10:19 AM, Stephen Ingram wrote:
>>
>> On Fri, Jul 13, 2012 at 6:14 AM, Rob Crittenden
>> wrote:
>>>
>>> Stephen Ingram wrote:
>>>>
>>>> On Thu, Jul 12, 2012 at
On Fri, Jul 13, 2012 at 6:14 AM, Rob Crittenden wrote:
> Stephen Ingram wrote:
>>
>> On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones
>> wrote:
>>>
>>> Hi,
>>>
>>> I had huge memory issues pre 6.3, now its low and flatSounds like yo
On Thu, Jul 12, 2012 at 3:41 PM, Dmitri Pal wrote:
> On 07/12/2012 06:19 PM, Stephen Ingram wrote:
>> On Thu, Jul 12, 2012 at 3:10 PM, Stephen Ingram wrote:
>>> On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones
>>> wrote:
>>>> Hi,
>>>>
>>
On Thu, Jul 12, 2012 at 3:10 PM, Stephen Ingram wrote:
> On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones wrote:
>> Hi,
>>
>> I had huge memory issues pre 6.3, now its low and flatSounds like you
>> have an issue somewhere. My normal cpu use is a few hundred mhz
On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones wrote:
> Hi,
>
> I had huge memory issues pre 6.3, now its low and flatSounds like you
> have an issue somewhere. My normal cpu use is a few hundred mhzbut when
> "something" goes wrong such as replication failing that climbs...ditto memory
I was previously using 2.1.4 and know that there was a substantial
memory leak in the directory server. After upgrading to 2.20, I notice
that although overall memory usage seems higher, the "creep" upwards
is not as quick. Although memory still tends to trend upward leaving
me to worry that dirsrv
On Fri, Jun 29, 2012 at 6:11 PM, Joe Linoff wrote:
> Hi Everybody.
>
>
>
> I ran into a strange problem today: I reset a user password in the GUI to
> “Test1234” for testing but when I tried to login as that user and enter the
> password, I got an authentication error. Does anyone know why this mi
On Tue, 2012-06-26 at 15:02 +0200, Natxo Asenjo wrote:
> hi,
>
> recently it was brought to my attendtion that isp-dhcpd version 4.2
> supports getting its database information from ldap. Earlier versions
> support it as well with a patch.
>
> It would be awesome if this could be integrated in IP
On Mon, 2012-06-25 at 15:39 -0400, Dmitri Pal wrote:
> On 06/25/2012 02:36 PM, Simo Sorce wrote:
> > On Mon, 2012-06-25 at 13:51 -0400, Dmitri Pal wrote:
> >> Simo are you sure simple bind is enough? I thought that it should be a
> >> bind over SSL with some specific ext op. Do I recall it wrong?
On Mon, 2012-06-25 at 11:09 -0700, george he wrote:
> Hi Stephen,
>
>
> Here are the lines from /var/log/messages. it seems there's some info,
> but I don't understand it...
...
> Jun 25 14:03:53 mz dbus-daemon[775]: dbus[775]: [system] Rejected send
>
On Mon, 2012-06-25 at 10:55 -0700, george he wrote:
> Hi Stephen,
> selinux was set to permissive before I installed the client. ( I
> modified the file /etc/sysconfig/selinex)
Modifying that file without a reboot does not change the current state.
That only tells the kernel whether to
On Mon, 2012-06-25 at 10:41 -0700, george he wrote:
> Hi Stephen,
>
>
> I already have a home directory which was created the first time I ssh
> in.
> Now when I click on "sign in", nothing happens...
>
Just to experiment, try 'setenforce 0' as root
On Mon, 2012-06-25 at 10:25 -0700, george he wrote:
> Hello Stephen,
>
>
> this is what in the log file:
>
> Jun 25 13:22:10 mz gdm-password][21545]: pam_unix(gdm-password:auth):
> authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser=
> rhost= user=jhe
On Mon, 2012-06-25 at 09:52 -0700, george he wrote:
> Hello,
> I have a server and a few client set up. I can ssh to the server or
> clients. But there's no entry on the console gdm for ipa user, and I
> cannot login by choosing "others" either.
> What do I need to set up for gdm log on? I searched
On Sun, 2012-06-24 at 15:10 -0700, Joe Linoff wrote:
> Hi Mark:
>
>
>
> I did not find any entries related to passwords in the LDAP record.
> There were some entries that looked as though they were related to
> Kerberos which might be useful.
>
> % ldapseach -LLL -x -b
> "uid=bigbob,cn=users,c
On Fri, Jun 22, 2012 at 1:37 PM, Rob Crittenden wrote:
> Dmitri Pal wrote:
>>
>> On 06/22/2012 12:28 PM, Stephen Ingram wrote:
>>>
>>> On Fri, Jun 22, 2012 at 6:25 AM, Dmitri Pal wrote:
>>>>
>>>> On 06/22/2012 01:57 AM, Stephen Ingram w
On Fri, Jun 22, 2012 at 6:25 AM, Dmitri Pal wrote:
> On 06/22/2012 01:57 AM, Stephen Ingram wrote:
>> On Thu, Jun 21, 2012 at 3:22 PM, Dmitri Pal wrote:
>>> On 06/21/2012 05:44 PM, Stephen Ingram wrote:
>>>> On Thu, Jun 21, 2012 at 2:06 PM, James James wrote:
>
On Thu, Jun 21, 2012 at 3:22 PM, Dmitri Pal wrote:
> On 06/21/2012 05:44 PM, Stephen Ingram wrote:
>> On Thu, Jun 21, 2012 at 2:06 PM, James James wrote:
>>> Hi everybody,
>>>
>>> Is it possible to have a procedure to add new attributes like
>>> ma
On Thu, Jun 21, 2012 at 2:06 PM, James James wrote:
> Hi everybody,
>
> Is it possible to have a procedure to add new attributes like
> mailAlternateAddress in the default user schema ?
That particular attribute is included in the schema
(objectclass=mailRecipient) so it is easy to add using the
On Tue, Jun 19, 2012 at 9:55 AM, Simo Sorce wrote:
> On Tue, 2012-06-19 at 09:15 -0700, Stephen Ingram wrote:
>> On Tue, Jun 19, 2012 at 2:54 AM, Dmitri Pal wrote:
>> > On 06/18/2012 11:58 AM, Darran Lofthouse wrote:
>> >> Just experienced some weird behaviou
On Fri, Jun 15, 2012 at 6:09 AM, Simo Sorce wrote:
> On Fri, 2012-06-15 at 00:10 -0700, Stephen Ingram wrote:
>> Is it possible for accounts in cn=etc,cn=sysaccounts to have kerberos
>> principals or must you use the cn=accounts,cn=users container? I'm
>> thinking thi
On Tue, Jun 19, 2012 at 2:54 AM, Dmitri Pal wrote:
> On 06/18/2012 11:58 AM, Darran Lofthouse wrote:
>> Just experienced some weird behaviour on my Fedora 17 installation,
>> just wanted to check if this was expected.
>>
>> I have the default config that requires a user to change their
>> password
On Fri, 2012-06-15 at 15:19 +0200, Sigbjorn Lie wrote:
> Hi,
>
> I've seen cron jobs on some of our machines not being run after they we're
> migrated to IPA. The
> machines in question has not been restarted after they we're migrated from
> NIS to IPA.
>
> These are RHEL 6 machines. The users
Is it possible for accounts in cn=etc,cn=sysaccounts to have kerberos
principals or must you use the cn=accounts,cn=users container? I'm
thinking this for script-authenticated machine accounts (might be of
form user-hostname@REALM or user/hostname@REALM) that need to
authenticate to another machine
On Mon, 2012-06-11 at 12:25 -0400, Dmitri Pal wrote:
> On 06/09/2012 06:24 AM, Joe Linoff wrote:
> > Hi:
> >
> >
> >
> > I read somewhere that I should turn off the NetworkManager service
> > on the IPA server. Should I do same on the clients?
...
>
> There was a problem with earlier versions
On Wed, 2012-06-06 at 06:59 -0700, Joe Linoff wrote:
> Hi Folks:
>
>
>
> I am a newbie so I apologize in advance if this is a silly set of
> questions. I am using FreeIPA 2.1.3 on CentOS 6.2 and am very happy
> with it but I have a couple of questions about root access. When I
> setup my system
On Mon, 2012-06-04 at 08:39 +0200, Martin Kosek wrote:
> On Sat, 2012-06-02 at 06:52 -0700, Joe Linoff wrote:
> > Hi:
> >
> >
> >
> > I am a newbie that is trying out FreeIPA for the first time. So far I
> > am extremely impressed with this system but I ran into a problem that
> > I need some h
For quite some time, we have used the sssd-devel mailing list for
development and user configuration issue discussions. As the project has
grown, it becomes more and more clear that we need to separate these
topics into their own lists.
So as of today, we now have a new mailing list for user quest
On Fri, May 18, 2012 at 2:35 PM, Gelen James wrote:
> Hi all,
>
> Are the sudo rules applied to IPA clients through nss_ldap, instead of
> sssd?
>
> I tried that on Redhat 6.2 clients, and some documents said that sudo rules
> would work when enabled inside /etc/nslcd.conf, but we need to hack t
On Fri, 2012-05-11 at 13:16 +0200, pasqual milvaques wrote:
> root : DEBUG Init ldap with: ldap://freeipaserver.linux.gva.es:389
> root : ERROR LDAP Error: Connect error: A TLS packet with unexpected
> length was received.
> Failed to verify that freeipaserver.linux.gva.es is an IPA Server.
> Thi
1 - 100 of 295 matches
Mail list logo
